Interpreting Cyber Risk Trends

There's no scarcity of metrics on the cyber threats facing financial institutions. Software and hardware vendors and many consulting firms often publish reports from their data or experiences. Reviewing these reports can take hours, and with time as the scarcest of resources, administrators need to be able to zero in on the most relevant information.

Below is a cross section of important points from some of the most popular and widely regarded studies. We've also taken a deeper dive into each issue in an effort to highlight how these trends translate into the banking sector.

Continued mobile threatsHP's Cyber Risk Report (registration required) focuses on applications and has information on the mobile threat landscape that is particularly applicable to FIs increasing their mobile banking footprint. Among other findings, the report revealed that, "nearly 46 percent of iOS and Android applications analyzed use encryption improperly."

Unfortunately, administrators are growing weary when it comes to mobile device security. Predictions in 2013 about rampant malware threats haven't really materialized. But that doesn't mean the financial sector can get complacent. Smartphones and tablets are becoming ubiquitous and are used so casually that it is almost a perfect storm of exposure. Attackers haven't taken advantage of the weaknesses so far, but we can't be certain they won't do so in the future. Network managers must recognize the very real threat mobile device vulnerabilities pose, and they must remain vigilant when it comes to managing this point of risk.

The mega breachSymantec's Internet Security Threat Report is known for its focus on all things web. Among the trends noted in this year's study was the impact of the "mega breach." The total number of breaches in 2013 climbed 62% from 2012, but the bigger news may have been that eight of last year's breaches exposed more than 10 million identities each.

For the financial industry, the effects of these massive events go much deeper. Day-to-day operations are impacted, from the need to monitor huge numbers of accounts for potential fraud to the issuance of millions of new payment cards. No matter where the exposure occurred (retailers suffered the majority of the mega breaches), banks are often the first place consumers turn for answers about account security. Ongoing identity theft concerns will surely occupy FIs for many months to come.

Data breach costsThe Ponemon Institute has a strong history of gathering data on financial damages, and its Cost of Data Breach Study (registration required) is a valuable tool. Of special interest to FIs will be the findings that several proactive steps -- having a robust security posture, implementing an incident response plan, and appointing a CISO -- reduced data breach costs per record by $14.14, $12.77, and $6.59, respectively. Given the mega-breach trend, these per-record-breached amounts add up quickly.

Reactive efforts to data exposures are often the focus for banks and credit unions. Customers are issued new payment cards -- sometimes out of an abundance of caution, rather than in response to confirmed fraud -- and account monitoring typically happens after the fact. But the Ponemon study shows the tangible monetary value behind specific preventive measures.

Watering holesA combination of findings highlights a particularly dangerous trend. HP's report includes a ZDI analysis that finds Java is susceptible to nearly every common software vulnerability. Symantec's report showed an increased use of "watering hole" attacks, which leverage weaknesses in less secure sites ultimately to go after more lucrative and highly secure organizations.

These industry-spanning dangers are especially concerning for banks. Malware, security gaps, watering holes, and Heartbleed-type vulnerabilities allow hackers to find entry points and use those compromised connections to sneak past the often robust protections guarding financial networks. Segmenting and encrypting sensitive data against these attacks should be a priority for banks, since security weaknesses across the web will be an ongoing concern.

Overall trendsVerizon's Data Breach Investigations Report is full of analysis, so much so that network administrators may not have the time to digest the entire report. But just a few points in the study can offer FIs enough information to focus on the areas where they’re most vulnerable.

According to Verizon, 75% of breach incidents in the FI sector over the past decade involved "web application attacks, distributed denial of service (DDoS) and card skimming." To make the best use of available resources, banks should prioritize security efforts in those areas.

Fortunately, measures don’t have to be elaborate or expensive to be effective. In its 2013 study, Verizon found that 78% of attacks rated "low" or "very low" in difficulty. (The company did not update that figure in this year's report. The trend has held true for several years, and we have no indication this year would be any different.) This means FIs implementing fundamental, relatively low-cost but relevant security measures will be ahead of the game in protecting their networks from thieves.

Deena Coffman is chief executive officer of IDT911 Consulting and has broad experience providing guidance to clients adopting technology or building programs relating to data privacy, data security, and electronic discovery. Prior to joining IDT, she was the chief operating ... View Full Bio

I know that by law bank boards must review disaster recovery plans & testing once or twice a year. Does anyone know if there are similar requirements around cybersecurity, customer privacy and other data security-related concerns?

Thanks for this overview, Deena. It doesn't seem that there's much good news in these trends -- clearly dealing with security is becoming ever-more complicated, challenging and expensive. These reports also illustrate how critical it is for security to be addressed at the board level. A number of the recommendations, including appointment of a CISO, are not something that a bank's security professionals could implement on their own. It takes focus and commitment at the highest level to approve these investments, elevate the CISO role, and drive changes in employee behavior that can improve security.